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Abstract. The BBCRS scheme is a variant of the McEliece public-key encryption scheme where the 
hiding phase is performed by taking the inverse of a matrix which is of the form T+R where T is a sparse 
matrix with average row/column weight equal to a very small quantity m, usually m < 2, and R is a, 
matrix of small rank 2 1. The rationale of this new transformation is the reintroduction of families of 

codes, like generalized Reed-Solomon codes, that are famously known for representing insecure choices. 
We present a key-recovery attack when 2 = 1 and m is chosen between 1 and 1 -f R -|- O(^) where 
R denotes the code rate. This attack has complexity 0(n®) and breaks all the parameters suggested in 
the literature. 
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Introduction 

Post-quantum cryptography. All public key cryptographic primitives used in practice such as 
RSA, ElGamal scheme, DSA or ECDSA rely either on the difficulty of factoring or computing 
the discrete logarithm and would therefore be broken by Shor’s algorithm [23] if a large enough 
quantum computer could be built. Moreover, even if a large enough quantum computer might not 
be built in the next five years, it should be mentioned that tremendous progress has been made for 
computing the discrete logarithm over finite fields of small characteristic with the quasi-polynomial 
time algorithm of [5]. This lack of diversity in public key cryptography has been identified as a 
major concern in the field of information security. For all these reasons, it would be very desirable 
to be ready to replace these schemes by others that would rely on other hard problems. However 
only few other proposals have emerged which are essentially hash-based signature schemes, lattice- 
based, code-based and multivariate quadratic based schemes. They are either based on the problem 
of solving multivariate equations over a finite field, the problem of finding a short vector in a lattice 
and the problem of decoding a linear code. Those problems are known for being NP-hard and are 
therefore believed to be immune to the quantum computer threat. 

The McEliece cryptosystem. Among those, one of the most promising scheme is the McEliece 
public key cryptosystem [20]. It is also one of the oldest public-key cryptosystem. It uses a family of 


codes for which there is a fast decoding algorithm (the binary Goppa code family here) which is used 
in the decryption process whereas an attacker has only a random generator matrix of the Goppa 
code which reveals nothing about the algebraic structure of the Goppa code that is used in the 
decoding process. He has therefore to decode a generic linear code for which only exponential time 
decoding algorithms are known. The main advantage of this system is to have very fast encryption 
and decryption functions. Depending on how the parameters are chosen for a fixed security level, 
this cryptosystem is about five times faster for encryption and about 10 to 100 times faster for 
decryption than RSA [8]. Furthermore, it has withstood many attacking attempts. After more 
than thirty five years now, it still belongs to the very few public key cryptosystems which remain 
unbroken. 

The use of Reed-Solomon codes in a McEliece scheme. Goppa codes are subfield subcodes 
of Generalized Reed-Solomon codes (GRS codes in short). This means that a Goppa code defined 
over ¥q is actually the set of codewords of a GRS code defined over an extension field (we 
say that /i is the extension degree of the Goppa code) whose coordinates all belong to the subfield 
Fq. Actually the fast decoding process of Goppa codes is the decoder of the underlying GRS code. 
Roughly speaking, a Goppa code of length n and dimension n — 2tfi defined over ¥q can correct t 
error E and is a subfield subcode of a GRS code that can also correct t errors which is of the same 
length n but has a larger dimension n — 2t and is defined over F^m. In this sense, the underlying 
GRS code has a better error correction capacity than the Goppa code. This raises the issue of 
using GRS codes instead of Goppa codes in the McEliece system. The better decoding capacity 
of GRS codes translates into smaller public key sizes for the McEliece scheme which is actually 
one of the main drawback of this scheme. This approach has been tried in Niederreiter’s scheme 
(whose security is equivalent to the McEliece scheme) but has encountered a dreadful fate when 
the Sidelnikov-Shestakov attack appeared [23]. 

Baldi et al. approach for reviving GRS codes. In their Journal of Gryptology article [2|, Baldi 
et al. have suggested a new way of using GRS codes in this context. Instead of using directly such a 
code, they multiplied it by the inverse of the sum T + R where T is a sparse matrix and i? is a low 
rank matrix. By doing this, the attacker sees a code which is radically different from a GRS code but 
the legitimate user can still use the underlying GRS decoder. This thwarts the Sidelnikov-Shestakov 
attack completely. However the decoding capacity of the resulting code is basically scaled down by 
a factor of ^ where m denotes the average weight of rows of the matrix T. It should be noted that 
the very same approach has also been tried for the Low-Density-Parity-Gheck code family, LDPC 
in short, which is notoriously known for being insecure in a McEliece scheme |22l4l3j . In this case, 
they did not even use the low rank matrix and despite of this fact the resulting public code obtained 
by this multiplication is not an LDPG code anymore (it becomes a moderate-density-parity-check 
code) and it seems now that if the attacker wants to break this scheme he has to be able to solve a 
generic decoding problem [2T]. There are therefore good reasons to believe that this approach can 
be powerful for disguising the secret code structure. 

An earlier attempt. Baldi et al. [I] first used this approach with T being a permutation matrix. 
In this case m = 1 and nothing is lost in term of decoding capacity compared to a GRS decoder. 
In other words, this allows to decrease the public key size as if we had a GRS code in the McEliece 
cryptosystem. This first attempt got broken in USED. Roughly speaking the reason of this attack 
in this case can be traced back to two facts (i) it turns out that the resulting code is still close 

® but the dimension can be increased to n — t/i in the binary case 
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to the underlying GRS code: the intersection of the public code with the secret GRS code is of 
co-dimension one; (ii) there is a very powerful way of distinguishing a GRS code [12] from a random 
code by computing the dimension of its square which can be used to unravel the algebraic structure 
of the public code. On the other hand, when the degree of sparseness of T is > 1 the resulting code 
does not have a large intersection with a GRS code and there was some hope to obtain a secure 
scheme. 

Our contribution: an attack which works in the regime 1 < m < 2. In the present article 
we will show that despite the fact that the public code is far from being a GRS code, a similar 
trick that has already been used to attack successfully in [Hj some wild Goppa codes proposed in 
[7] when the degree of extension is only 2 can also be used in this context. It consists in computing 
the dimension of the square of shortenings of the public code. Because of the hidden structure of 
the public code, the squares of some of its shortenings have a smaller dimension than the squares 
of shortened random codes of the same dimension. This distinguisher is then used to unravel the 
structure of the matrix T. This gives an attack of polynomial time complexity which can be used 
to break the examples given in [2] . Several were broken in a few hours, and others in a few days. As 
an illustration. Example 1 given in [2] with a claimed 90-bit security can be broken in 2.75 hours on 
a computer equipped with Xeon 2.27GHz processor and 72 Gb of RAM. This attack works up to 
values of m of order 1 -I- i? -|- 0{^), where R is the rate of the public code. The attack we present 
here can obviously be thwarted by taking values for m greater than 2, but in this case, since the 
price to pay is a decrease of the decoding capacity by a factor of more than 2, we do not obtain 
better public key sizes than the ones we obtain by using Goppa codes, or more generally alternant 
codes of extension degree 2, provided we choose non wild Goppa codes in order to avoid the attack 
of |14j . The complexity of the present attack is similar to that of [11], namely 0(n®) where n is the 
code length. More precisely, this attack starts with two steps of respective complexity O(n^) and 
0{n^) and then applying the attack of [11] whose complexity is 0(n®) operations in the base field. 

1 GRS Codes and the Square Code Construction 

We recall in this section a few relevant results and definitions from coding theory and bring in the 
fundamental notion of square code construction. 

Definition 1 (Generalized Reed-Solomon code). Let k and n be integers such that 1 ^ k < 
n ^ q where q is a prime power. The code GRSfc (*, y) of dimension k is associated to a pair {x, y) 
where x is an n-tuple of distinct elements of¥g and y G (T ^is defined as: 

GRSfc (x,y) ='^|(yip(xi), .. .,ynp{xn)) I p G ¥q[X],degp < fej. 

The first work that suggested to use GRS codes in a public-key encryption scheme was [23]. But 
Sidelnikov and Shestakov |25j showed that for any GRS code it is possible to recover in polynomial 
time a pair {x,y) defining it, which is all that is needed to decode efficiently such codes and is 
therefore enough to break any McEliece type cryptosystem [20] that uses GRS codes. 

Definition 2 (Componentwise products). Given two vectors a = (oi,..., a„) and b = (6i,..., bn) G 
¥g, we denote by a-kb the componentwise product 

def 

akb = {aibi,...,anbn)- 
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The star product a*6 should be distinguished from a more common operation, namely the canonical 
inner product: 

n 

a • 6 

i=l 

Definition 3 (Product of codes & square code). Let and SS be two codes of length n. The 
star product code denoted by -kof and SS is the vector space spanned by all products akb 
where a and b range over and respectively. When then .W k is called the square 

code of and is rather denoted by . 

Proposition 1. Let £/ be a code of length n, then 

dim(^^) < min |n, + ') } , 

Proposition 2. Let C F” 6e a code of dimension k. The complexity of the computation of a 
basis of is 0{k‘^n^) operations in Fg. 

See for instance m. for proofs of Propositions and 

The importance of the square code construction becomes clear when we compare the dimension of 
the square of structured codes like GRS codes with the dimension of the square of a random code. 
Roughly speaking, given a code of dimension k, the dimension of its square is linear in k if it is a 
GRS code and quadratic if it is a random code as explained in the two following propositions. 

Proposition 3. GRSfc {x, y)^ = GRS 2 fc-i {x, y ky). 

Proof. See for instance [181 Proposition 10]. 

Remark 1. This property can also be used in the case 2A: — 1 > n. To see this, consider the dual of 
the Reed-Solomon code, which is itself a generalized Reed-Solomon code m Theorem 4, p.304]. 

Theorem 1. Let £/ be a random code of length n and dimension k such that n > Then, for 

all integer I < 

Prob ^dim.g/^ ^ ^ ~ ^ ~ ^ ^ ) (A: —)> +oo). 


Proof. See [TO] . 

Remark 2. A slightly weaker result was already obtained in the papers [Tmo] (see also US]). 

For this reason, GRS^ [x, y) can be distinguished from a random linear code of the same dimension 
by computing the dimension of the associated square code. In |15ll6j . this phenomenon was already 
observed for q-Biy alternant codes (in particular Goppa codes) at very high rates whose duals 
are distinguishable from random codes by the very same manner. Subsequently, the very same 
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phenomenon lead to attacks on GRS based cryptosystems PITT] . to a polynomial time attack on 
Wild Goppa codes over quadratic extensions [Il| and to a polynomial time attack on algebraic 
geometry codes m- 

Historically, the star product of codes has been used for the first time by Wieschebrink to crypt- 
analyze a McEliece-like scheme [6| based on subcodes of Reed-Solomon codes [26]. The use of the 
star product here is nevertheless different from the way it is used in [2^. In Wieschebrink’s pa¬ 
per, the star product is used to identify, given a certain low codimensional subcode ^ of a GRS 
code GRSfc {x,y), a possible pair {x,y). This is achieved by computing which turns out to be 
GRSfc {x,y)'^ = GRS 2 A:-i {x,y*y) with a high probability. The Sidelnikov and Shestakov algo¬ 
rithm is then used on to recover a possible {x, y * y) pair to describe as a GRS code, and 
hence, a pair (x, y) is deduced for which ^ C GRS^ (jc, y). 

2 Description of the Scheme 

The BBCRS public-key encryption scheme given in |2] can be summarized as follows: 

Secret key. 

^ Gsec is a generator matrix of a GRS code of length n and dimension k over ¥q. 

def 

— Q = T + R where T is an re x n non-singular sparse matrix with elements in Fg and average 
row weight m n. Note that rre is not necessarily an integer. For example m = 1.4 means 
that 40% of the rows of T have weight equal to 2 and the other 60% have weight equal to 1. 

def 

— R is a rank-z matrix over Fg such that Q is invertible. In other words there exist cx = 

(ai,..., an) and [3 (/3i,..., fin) such that R oP"(3 and ai and fii are z x 1 full rank 

matrices defined over Fg for all z G {1,..., re} and z ^ n. 

— S is a k X k random invertible matrix over Fg. 

Public key. 

Gpnb = S-^GsecQ^P (1) 

Encryption. The ciphertext c G Fg of a plaintext m G Fg is obtained by drawing at random e 
in Fg of weight less than or equal to (recall that rre denotes the density of the matrix T) 

and computing c mGpub + e. 

Decryption. It consists in performing the three following steps: 

1. Guessing the value of eR. 

2. Calculating c' cQ — eR = mS~^Gsec + eQ — eR = mS~^Gsec + eT and using the 
decoding algorithm of the GRS code to recover mS~^ from the knowledge of c!. 

3. Multiplying the result of the decoding by S to recover m. 

Remark 3. In |2], the authors suggest to take rre = 1 -|- ~ 2 — R for the density of T. 

Further details on the construction of the matrix T. We deal with the case rre ^ 2. According 
to |2j the matrix T is constructecj^ as follows. 

® Actually, the authors propose three constructions for T and express a clear preference for the one described in the 
present article. 
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1. Choose a permutation matrix P. Replace each 1 by a random element of . 

2. Set t 1 ^t'= t — L^J ^ \Sj^ ~ • Choose a random set C of 5t columns and a 

random set J 2 of I rows of P . 

3. For all i G J 2 , we denote by '^{i) the integer such that Pi^T^ii) / 0- For each i G ^ 2 , choose a 
random element j G C \ 7r(z) and add a random element of at position 

We also tested another construction allowing to have row and column weight upper bounded by 2. 

The sparse matrix T is constructed asT = Ti+T 2 where: 

— Ti is of the form Ti = DiPi, where Di is diagonal invertible and -Pi is a permutation matrix; 

— T 2 = D 2 P 2 , where D 2 is diagonal with (m — l)n nonzero diagonal coefficients and P 2 is a 
permutation matrix; 

— The matrices do not overlap, that is, there is no pair (i,j) with 1 ^ i,j ^ n such that both 
(Ti)jj and (T 2 )ij are nonzero. 

Our attack works for both choices of the matrix T. The experimental results in Sec. [^rely on the 

first construction for T. 


2.1 Previous attacks and discussion on the parameters 

The BBCRS scheme has been subject to an attack m in the case m = 1, ie. the matrix T is a 
permutation matrix and z = 1, i.e. the matrix R has rank 1. The attack presented here holds for 
m < 1 + -R + 0{^) and z = 1. The relevance of choosing higher m or z is discussed in Section 7 

The attack of the present article uses in its last step the attack dU on the original system [I]. 


2.2 Notation 

R will be convenient to bring the following notation. 

“ ^puh is the code with generator matrix Gpub', 

— ^sec is the GRS code with generator matrix Gsec, we assume that it is specified by its dual 
(which is itself a GRS code) as = GRS„_fc {x,y)] 

— J\ is the set of positions which correspond to rows of T of Hamming weight 1. The elements 
of J\ are called the positions of degree 1. For any row i G 77i of T, we define j{i) as the unique 
column of T for which Tjj(j) / 0; 

— J 2 is the set of positions which correspond to rows of T of Hamming weight 2. The positions in 
J 2 are called the positions of degree 2. When i belongs to 7 / 2 , let ji and j 2 be the columns of T 
for which we have ^ 0 and / 0. We define similarly j{i) as the set {ji,^ 2 } in this case. 


2.3 Structure of the public code 

The following result explains how ^pub and ‘^sec and their duals are related. 
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Lemma 1. 


1 


( 2 ) 

(3) 


‘^pub — ^sec{T + R) 

%it = %UT + Rf. 

Proof. The first equality follows immediately from Q, whereas the second one was is observed in 
[21 p.6, Equation (8)] where a parity-check matrix for the public code "^pub is expressed in terms of 
a parity-check matrix of the secret code. This can be proved as follows. For all c G "^seo c' G ^seo 

(c(T + R)-^) ■ {c\T + Rf ) = {c{T + R)~^{T + R)) ■ c' = c ■ c = 0. 

Moreover, since Q = T + R is invertible, we get dim + R)^ + dim ‘ifsec{T + R)~^ = n, hence 
the codes are dual to each other. 

3 The fundamental tool: shortening and pnncturing the dnal of the public 
code 

The lemmas stated in the present subsection are proved in Appendix 

Puncturing and shortening will play a fundamental role in the attack. Recall that for a given code 
^ c¥q and a subset X of code positions the punctured code Vx and shortened code Sx {^) are 
defined as: 

Sx (‘if) {(ci)i^x I ^ such that Vi G X, c* = 0} . 

Given a subset X of the set of coordinates of a vector u, we denote by Vx (u) the vector u punctured 
at X, that is to say, indexes that are in X are removed. 

First let us recall the influence of these operations on GRS codes. 

Lemma 2. Let x, y be two n-tuples of element sof¥q such that x has pairwise distinct entries and 
y has only nonzero entries. Let k < n and X C {1,..., n}. Then 

Vx (GRSfc (®, y)) = GRSfc (Vx (x) , Vx (y)) (4) 

Sx (GRSfc (x, y)) = GRSfc_|x| (Vx (x) , yx) , (5) 

for some yx G ¥q depends only on y and X. 

Next, with these notions at hand, it follows that the dual of the public code punctured in is 
very close to a GRS code. We will also need to understand the structure of versions of this code 
which are shortened in positions belonging to Ji and then punctured in J^. It turns out that these 
codes too are close to GRS codes. First of all, puncturing ™ positions belonging to J 2 
gives “almost” a GRS code, as shown by: 

Lemma 3. Let u = (ui)i^j.^ and v = (vi)i£j^ be vectors in defined by 

Ui ^j{i) 

Vi = 


7 


Let & then 


Vj,i^)CGKSn-k {u,v). 


( 6 ) 


Lemma 4. Let A and ^ be vectors of F” such that 
= '^si(A)(T^ + R^). Then, 


and let '= H < A >“*■, 


Vj, {^pibW) C GRSn-k {u, v), (7) 

Moreover if Ji contains an information se|^ of^^fT'^ and is invertible, then there exist a and 
b in Fg such that for any c in Vj^ there exists a vector p in GRSn-k {u,v) for which 


c = p + {p ■ b)a. 


( 8 ) 


In particular, Vj^ 


C GRS„_fe {u,v) + < a>. 


If we puncture with respect to J 2 shortened versions of ™ positions belonging to Ji , then we 
observe a similar phenomenon, namely 

def 

Lemma 5. Let Ii be a subset of code positions which is a subset of Ji. Let s = |Xi| and assume 
that s ^ n — k. Then there exist vectors a, u, v m Fg ^ such that: 

'h’j 2 {Sxi (y’pub^ ^ c + < a > (9) 

and (§ is a subcode of GRSn-k-s {u,v). 


4 Key-Recovery Attack 
4.1 Outline 

Our key-recovery attack starts with a parity-check matrix Hpub of the (public) code ^puh- The 
main goal is to recover matrices T and R, where Hpub{T"^ + -R^) is a parity check matrix of a 
GRS code, T is a low density square matrix and R a rank 1 matrix. Recall that in our terminology, 
rows of T belonging to 77i are positions of degree 1, and those in J'2 are positions of degree 2. It 
implies, thanks to ([^, that some columns of Hpub belong to Ji and the others are in J 2 . 

Our attack is composed of three mains steps having the following objectives: 

1. Detecting columns of Hpub that belong to J 2 , and then deducing those of Ji. 

2. Transforming columns of J 2 into degree 1 columns by linear combinations with columns of J\. 

^ In coding theory, an information set of a code ^ of dimension fc is a set of k positions I such that the knowledge 
of a codeword c G ^ on the positions in X determines entirely the codeword. Equivalently, if G denotes a, k x n 
generator matrix of the code, then the k x k submatrix of G given by extracting the columns indexed by X is 
invertible. 
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3. At this stage, the public code has been transformed into another code such that there exists 
a secret GRS code ^ggc ^ matrix 77 + /?' where 77 is a permutation matrix and 7?^ is rank-1 
matrix such that: 

^ = ^Un + R'). ( 10 ) 

The third step consists then in applying the attack developed in nn which is purposely devised 
to recover a pair (77, R') from ^ as outlined in Section 


The purpose of the next sections is to describe more precisely the first two steps of the attack. 
Finally, the algorithms used in our implementation are postponed in Appendix [E) 


2.1 


4.2 A distinguisher of the public code 

The attack uses in a crucial way a distinguisher which discriminates the public code from a random 
code of the same dimension. It is based on square code considerations. The point is the following: 
if we shorten the dual of the public code in a large enough set of positions X, then the 

square code (^Sx ('^pib))^ has dimension strictly smaller than that of (Sx (‘^rind)f where '^^and 
is a random code of the same dimension as ^puh- The code (Sx (^rind))^ has dimension which is 
typically min|n — |X|, (^^ 2 *"^)} where kx stands for the dimension of Sx (^rand)- general, kx is 
equal to n — 7: — |X| since dim'if= dim'^j^j^ = n — k whereas we generally have: 

dim (Sx (<ub))' ^ 3(n - k) + IJ 2 I - 3|X| - 1. (11) 

In other words, when 3(n — k) + \J 2 \ — 3|X| — 1 < min |n — |X|, we expect to distinguish 

‘i^pub from a random code of the same dimension. We write here “generally” because there are some 
exceptional cases where such an inequality does not hold. However in the case when X <Z Ji, this 
inequality always holds. 


Proposition 4. LetX C Ji, then dim [Sx ^ 3(n - k) - 3|X| - 1 -|- \J 2 \. 

This proposition is proved in Appendix |B| 


Remark 4- It turns out that a similar inequality also generally holds when X contains degree 2 
positions. However in this case, the situation is more complicated and it might happen in rare cases 
that this upper-bound is not met but, roughly speaking, when it happens, the actual result remains 
close to this upper bound. An explanation of what happens in this case is given in Appendix [C) 
Experimentally, we observed that (11) was satisfied even when X contained positions of 1 X 2 - 


Remark 5. The use of shortening is important since in general the (dual) public code itself is non 
distinguishable because its square equals the whole ambient space. However, for a part of the 
parameters proposed in [2], the dual public code is distinguishable from a random code without 
shortening. See ^for further details. 
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4.3 Description of the attack 


First step — Distinguishing between positions in J7i and Roughly speaking the attack 
builds upon an algorithm which allows to distinguish between a position of degree 1 and a position 
of degree 2. It turns out now that once we are able to distinguish the public code from a random 
one by shortening it in a set of positions X such that: 

dim (^Sx < min|n-|X|, 

we can puncture Sx in a position i that does not belong to X and this allows to distinguish 

degree 1 positions from degree 2 positions. The dimension of the square code of this punctured 
code will differ drastically when z is a degree 1 position (or a certain type of degree 2 position) or 
a “usual” degree 2 position. When i is a degree 1 position it turns out that 

dim(5x (^p4b)) =dim(^n > (13) 

whereas for “usual” degree 2 positions we observe that 

dim [Sx (%ib) ) = dim {v, [Sx {^puh) ) ) + 1- (1^) 

Sometimes (in the “non usual” cases), we can have positions of degree 2 for which 

dim (^cSi (^p(jb) ) = dim (Vt (Sx (%ib) ) ) 

as for degree 1 positions. This happens for instance if shortening in X “induces” a degree 1 position 
in i. This arises mostly when the position i of degree 2 is such that j{i) = {ji,j 2 } where either 
ji = j(*0 J 2 = j(*0 lor a position i' of degree 1 that belongs to X. Further details on these 
phenomena are given in Appendix [C| This phenomenon really depends on the choice of X. However, 
by choosing several random subsets X we quickly find a shortening set X for which the degree 2 
position we want to test behaves as predicted in ( |14[ ). This yields an algorithm to decide whether 
a given position has degree 2. See Algorithm in Appendix 

Moreover, we explain below, how to use the above observations to compute the whole set of positions 
of degree 2. 

Procedure to compute J 2 


Choose a set of random subsets Xi,..., X^ (in our experimentations we always chose s 
whose cardinals satisfy (12). 

For i = 1,..., s compute tSj. {^p^y^ and call J 2 {i) this set of positions satisfying 

dim5x, / dimXj (sx^i^' 


20 ) 


^pub 


Set J 2 — 1 X 2 ( 1 ) U • • • U cX 2 ('S). 


The above described procedure of degree 2 is summarized by Algorithm (see Appendix . 
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Second step — Transforming degree 2 positions into degree 1 ones This step reposes on 
the following statements proved in Appendix [D| 


Proposition 5. Let ii G J\ and Z 2 € J 2 be a position associated to ii. Let D{a,ii,i 2 ) be annxn 
matrix which is the identity matrix with an additional entry in column i^ and row ii that is equal 
to a. Define ^ If a = — , then there exists Ft! of rank at most one such that 

^ = + R'^) (15) 

where T' differs from T only in row i 2 and column ji, the corresponding entry being now equal to 

0 . 


This proposition is exploited as follows. 


We first compute for a degree 1 position ii the set of degree 2 positions ^2 such that j{ii) G Jih)- 
These positions i 2 can be detected by checking if Z 2 has now become a degree 1 position for 
(this is the case if and only if j{ii) G j{i 2 ))- See Algorithm in Appendix E 
Once such a pair (^ 1 ,^ 2 ) has been found we try all possible values for a G until we obtain 
a code 'W for which the corresponding T' contains a row of index 22 which is now of Hamming 
weight 1. That is to say: i 2 became a position of degree 1 for ^. This can be easily checked by 
using the previous technique to distinguish between a position of degree 1 or 2. See Algorithm 
1^ in Appendix [E) 

In other words, when we are successful, we obtain a new code ^ for which there is one more 
row of weight 1. We iterate this process by replacing by -iTi U {^ 2 } until we 

do not find such pairs (H A 2 )- For the values of m chosen in [2] and with rows of T which were 
all of weight 1 or 2 we ended up with T' which was a permutation matrix and a code 'W which 
was linked to the secret code by 

where 77 is a permutation matrix and Ft! a matrix of rank at most 1. To finish the attack, we 
just apply the attack described in [TTl Sec.4 ] to recover ^sec- 


Algorithm given in Appendix [E] describes the complete attack. 


Case of remaining degree-2 positions 

It could happen that the previoulsy decribed method is unsufficient to transform every degree 2 
position into a degree 1. It could for instance happen if there is a position i of degree 2 such that 
for all position i' of degree 1, j{i') ^ j{i). In such a situation, no position of degree 1 can be used 
to eliminate this position of degree 2. 

This problem can be addressed as soon as the set of positions of degree 1 contains an information 
set of the code. We describe the strategy to conclude the attack in such a situation. 

Let ^ be the code obtained after performing the two steps of the attack and assume that there 
remains as nonempty set J 2 of positions of degree 2, which are known (since they have been 
identified during the first step of the attack). Here is the strategy 
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1. Puncture ^ aX J 2 - The punctured code is of the form 


(16) 


where 'W is a GRS code, I is the identity matrix and R! a rank 1 matrix. 

2. Perform the attack of HD on ('^). We get the knowledge of a support x' a multiplier y' 
and a rank 1 matrix R! such that 

= GRSfc {x',y') {I + R!). 

are able to identify the polynomials Pi,... ,Pk yielding the rows of the public 

which is not in the support x' of , compute the column 

/Pi{x)\ 

P2{X) 

\Pk{x)) 

and join it to the matrix Gpub- By this manner we get new positions of degree 1 which can be 
used to eliminate the remaining positions of degree 2. 

Remark 6. In our experiments, this situation never happened: we have always eliminated all the 
degree 2 positions using Proposition 


Moreover, we 
matrix Gpub- 
3. For all x G Fg 


5 Limits and Complexity of the Attack 


5.1 Choosing appropriately the cardinality of X 

By definition of the density m, the sets Ji and J 2 have respective cardinalities (2 — m)n and 
(m — l)n. In what follows, we denote by R the rate of the public code namely R = k/n. Let us 
recall that the attack shortens the dual of a public code which is of dimension n — k. The cardinality 
of X is denoted by a. We list the constraints we need to satisfy for the success of the attack. 


1. The shortened code should be reduced to the zero space, which implies that a < n — k. 

2. The code punctured at J 2 must contain an information set, that is to say: 


n - k ^ \Ji\. 


(17) 


It is clear that (0 is equivalent to m ^ 1 + 72. 

3. The computed square code in Proposition should also be different from the full space which 
implies: 

3(n — k — a) + \ J 2 \ — I < n — a (18) 


One can easily check that (18) is equivalent to: 


a ^ 


1 

2 


^(1 + m)n 



(19) 
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4. Finally, to have good chances that the dimension of the square code reaches the upper bound 
given by Proposition we also need: 

/ , N 1^1 fn — k — a + l'' 

2,{n -k - a)+ \J 2 \- I < { ^ 

which is equivalent to the inequality: 

+ ^5 — 2{n — k)j a + {n — k)"^ — 5(n — k) + 2(1 — m)n ^ 0 (21) 


( 20 ) 


Considering (21) as an inequality involving a degree-2 polynomial in a, we can check that its 


def 

discriminant is equal to Zl = 8(m — l)n -|- 25, so that its roots are oq and ai where: 

ao '=^ n — k — - — -V^ and ai re — A; — - -V^. 


( 22 ) 


Let us recall that in order to have (21) satisfied, we should have a ^ uq or a ^ ai. Because of 


the constraint a < n — k and since ai > n — k, the only case to study is a ^ ao- Combining (19) 
with a ^ ao, we obtain: 

^ (^(1 -I- m)n - 3k^ ^ ao- 

which is equivalent to the following inequality involving this time a degree-2 polynomial in m: 

+ 2re(l — re — k)m + 2kn + k'^ — lOk + — 2n ^ 0. (23) 

The discriminant of this polynomial is n‘^{8k + 1) and the roots are: 


mo = 1 + K - \ —K H —^ and rrei = l-|--ft - \- \ —K H — 

n \ n n \ n 

Because of the fact that m ^ 1 + R from (©, and since mi > 1 + R, we conclude that the 

attack can be applied as long as m ^ mo, that is to say: 


1 8 1 
m ^ 1 + R - \ —R H— 


re 


re 


re^ 


(24) 


5. Finally, the last step of the attack consists in performing the attack of m- 


Remark 7. This upper-bound is roughly 1 -|- i?. In [2], the authors suggest to choose m ^ 2 — R ioi 
rates R > ^, which is well within the reach of the present attack. 


5.2 Estimating the complexity 

As explained in Proposition!^ the square of a code of dimension k and length re can be computed 
in 0{n^k‘^). Let us study the costs of the steps of the attack. 

— Step 1. Finding the positions of degree 2. For a constant number of subsets X of length 


a ^ ao where oq is defined in (22), we shorten %uh and compute its square. If a is close to 
ao then, the shortened code has dimension n — k — a = 0{y/n). Hence, the computation of its 
square costs O(re^). Thus this first step costs 0{n^) operations in Fg. 

Step 2. Transforming degree-2 positions into degree 1 positions. This is the most 
expensive part of the attack. For a given position ii G Ji, the computation of positions 12 of 
degree 2 such thalnj(ii) G j(f 2 ) consists essentially in shortening the dual public code at ii 


Equivalently, there exists an integer j such that 7 ^ 0 and Ti^j 7 ^ 0. 
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and applying to the shortened code the first step. This costs 0{n^). Then, the application of 
Proposition!^ to transform 12 requires to proceed to at most q linear combinations and, for each 
one, to check whether the position became of degree 1. Each check has mostly the same cost as 
the first step, that is O(n^). Thus, the overall cost to reduce one position of degree 2 is O(n^) 
and hence the cost of this second step is O(n^). 

— Step 3. According to mi, it is in 0(n®). 


6 Experimental Results 

Table gathers experimental results obtained when the attack is programmed in Magma V2.20-3 
[9]. The attacked parameters are taken from [21 Tables 3 & 4] The timings given are obtained with 
Intel® Xeon 2.27GHz and 72 Gb of RAM. Our programs are far from being optimized and probably 
improved programs could provide better timings and memory usage. 

The running times for codes of length 346 are below 5 hours and those for codes of length 546 can 
be a bit longer than one day. The total memory usage remains below 100Mb for codes of length 
346 and 500Mb for codes of length 546. 


{q,n,k,z) 

m 

Step 1 

Step 2 

(347, 346, 180, 1) 

1.471 

15s 

18513s (Ri5 hours) 

(347, 346, 188, 1) 

1.448 

8 s 

10811s (Ri3 hours) 

(347, 346, 204, 1) 

1.402 

10 s 

8150s («2.25 hours) 

(347, 346, 228, 1) 

1.332 

15s 

9015s («2.5 hours) 

(347, 346, 252, 1) 

1.263 

36s 

10049s («2.75 hours) 

(347, 346, 268, 1) 

1.217 

3s 

14887s (Ri4 hours) 

(347, 346, 284, 1) 

1.171 

3s 

7165s («2 hours) 

(547, 546, 324, 1) 

1.401 

60s 

58778s («16 hours) 

(547, 546, 340, 1) 

1.372 

83s 

72863s (Ri20 hours) 

(547, 546, 364, 1) 

1.328 

100 s 

72343s (~20 hours) 

(547, 546, 388, 1) 

1.284 

170s 

85699s (Ri24 hours) 

(547, 546, 412, 1) 

1.240 

15s 

157999s («43 hours) 

(547, 546, 428, 1) 

1.211 

15s 

109970s («30,5 hours) 


Table 1. Running times 


Remark 8. Since the algorithms include many random choices, the identification of pairs (^ 1 ,^ 2 ), 
where ii G J\ and 12 G J 2 such that j{ii) G j{i 2 ) might happen quickly or be rather long. This 
explains the important gaps between different running times. 

Remark 9. Actually some parameters proposed in [2] were directly distinguishable without even 
shortening. This holds for {q,n,k) = (347,346,268), {q,n,k) = (347,346,284) and {q,n,k) = 
(547, 546, 428) with m respectively equal to 1.217, 1.171 and 1.211. This explains why the first step 
is quicker for these examples. 
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Remark 10. The examples [346,180 ]347 and [346,188 ]347 do not satisfy (24). However, they are 
distinguishable by shortening and squaring and the attack works on them. Because of some cancel¬ 
lation phenomenon for positions of degree 2 which we do not control, it may happen that the upper 
bound in Proposition 4 is not sharp and that some shortenings of turn out to be distinguishable 
while our formulas could not anticipate it. 


The above remark is of interest since it points out that our attack might work for values of m above 
l + R. 


7 Concluding Remarks 

The papers mm can be seen as an attempt of replacing the permutation matrix in the McEliece 
scheme by a more complicated transformation. Instead of having as in the McEliece scheme a 
relation between the secret code ^sec and the public code ^puh of the form ^sec = ^pubR where U 
is a permutation matrix, it was chosen in m that 

“^sec = ^pubT^ 

where T is a sparse matrix of density m or as 

‘^sec = ‘^pub(7’ + R) 

where T is as before and R is of very small rank 2 ; (the case of rank 1 being probably the only 
practical way of choosing this rank as will be discussed below) as in |ll2j . It was advocated that this 
allows to use for the secret code ^seo codes which are well known to be weak in the usual McEliece 
cryptosystem such as LDPC codes m or GRS codes CEj. Interestingly enough, it turns out that 
for LDPC codes this basically amounts choosing a McEliece system where the density of the parity- 
check matrix is increased by a large amount and the error-correction capacity is decreased by the 
same multiplicative constant. The latter approach has been studied in [21], it leads to schemes with 
slightly larger decoding complexity but that have at least partial security proofs. 

In the case of GRS codes, the first attempt [T] of choosing for T a permutation matrix was broken 
in [HI Sec.4]. It was suggested later on [2] that this attack can be avoided by choosing T of larger 
density. In order to reduce the public key size when compared to the McEliece scheme based on 
Goppa codes, rather moderate values of m between 1 and 2 (m = 1.4 for instance) were chosen in 
[2|. We show here that the parameters proposed in [2] can be broken by a new attack computing 
first the dimension of the square code of shortened versions of the dual of the public code and using 
this to reduce the problem to the original problem [Tj when T is a permutation matrix. This attack 
can be avoided by choosing larger values for m and/or z, but this comes at a certain cost as we 
now show. 

Increasing z. Increasing z = 1 to larger values of z avoids the attack given here, though some of 
the ideas of jllj might be used in this new context to get rid of the R part in the scheme and might 
lead to an attack of reasonable complexity when z = 2 by trying first to guess several codewords 
which lie in the code ^ n (this code is of codimension at least z in Once 

^ is found, we basically have to recover T and the approach used in this paper can be applied 
to it. To avoid such an attack, rather large values of z have to be chosen, but the decryption cost 
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becomes prohibitive by doing so. Indeed, decryption time is of order q^C where C is the decoding 
complexity of the underlying GRS code. Choosing z = 2 is of questionable practical interest and 
z > 2 becomes probably unreasonable. 

Increasing m. Choosing values for m close enough to 2 will avoid the attack presented here. 
However this also reduces strongly the gain in key size when compared to the McEliece scheme 
based on Coppa or alternant codes. Indeed, assume for simplicity m = 2. We can use in such a case 
for the secret code a CRS code over ¥q of dimension k = n — 2t and add errors of weight ^ ^ ™ 
the BBCRS scheme. The public key size of such a scheme is however not better than choosing in 
the McEliece scheme a Coppa code of the same dimension n — 2t but which is the subfield subcode 
of a CRS code over ¥^2 of dimension n — t, and which can also correct | errors. This Coppa code 
has the very same parameters and provides the same security level. For this reason, one loses the 
advantages of using CRS codes when choosing m close to 2. Thus, to have interesting key sizes 
and to resist to our attack m should be smaller than 2 and larger than 1 + R. One should however 
be careful, since, as explained in ^ it is still unclear whether the attack fails for m closely above 
1 + R. 

On the other hand, it might be interesting for theoretical reasons to understand better the security 
of the BBCRS scheme for larger values of m. There might be a closer connection than what it 
looks between the BBCRS scheme with density m and the usual McEliece scheme with (possibly 
non-binary) Coppa codes of extension degree m. The connection is that the case m = 2 is in 
both cases the limiting case where the distinguishing approach of HHEj might work (in dl, the 
attack only works because wild Coppa codes are studied and this brings an additional power to 
the distinguishing attack). It should also be added that it might be interesting to study the choice 
of '^sec being an LDPC code and ^sec = ^puh{T + R) since here adding R of small rank can also 
change rather drastically the property of "^pub being an LDPC code (which is at the heart of the 
key attacks on McEliece schemes based on LDPC codes). 
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A Proof of Lemmas to [5] 


Notation 2. In the proofs to follow, the code always denotes the one defined in 
is 



r^J- rpl 

^ sec^ 


Lemma\^ that 


Proof (Proof of Lemma^. A codeword of GRSfc {x, y) is of the form {yiP{xi), ..., ynP{xn)) where 
P G IFg[A] has degree < k. Puncturing consists in removing the entries with index in X, which yields 
Q. To lie in the shortened code, the polynomial P should vanish on the elements of X. Thus, it 
should be of the form P{X) = (Oiei {X — Xi))Q{X) for some polynomial Q of degree < k — \I\. 
Hence, the words of the shortened code are of the form 



- Xj) 


u'ei 


Q{xi 




where Q has degree < k — \X\, which yields ([^. 


Proof (Proof of Lemma^. For any codeword c = {ci)i^i^n in there exists a polynomial P{X) G 
Fq[A] of degree less than n — k such that for all i G {1,..., n}, we have 

n 

n 

When i is in J'l, we clearly have c* = Tij^j^yj(j^P{xj(p^). This implies that 

{&) C GRS„_fc {u, v) . (25) 


Proof (Proof of Lemma^. By definition of ^sec("^)) have 

<ub(A)=‘^sic(A)(T^ + i?^) 

c 


0 and hence, 


Then, using (25), we get 


(<ub(A)) X vj, m 

C GRS„_fe {u,v). 


This is precisely the inclusion given by ([^. 

Let us now assume that ^Xi contains an information set of nnd is invertible. Consider a 
codeword c in There exists d in such that 

c = c'(T^ + R'^). (26) 
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Notice now that 


c'R^ = c'iX^iJ.) 

= (c' • X)fi. 

Let P = 'Pj2 (cT j. Since J'l contains an information set of &sec^ T is invertible, the 

composite map: 

_ 1 c^-L 1 c^-L T’T' . -p / 'T'T\ 

®pub ^ ®sec ^ ®sec-^ ^ ' J2 y^sec-^ J 

is an isomorphism and hence, we deduce that there exists b in Fg (which does not depend on 
d) such that 

d ■ X = p ■ b. 

We define a by a Vj^ (^) and we obtain by using ( [2^ that 

Vj,{c) = Vj,{dT^) + Vj,{d R^) 

= P + {P- b)a, 

which proves Q. 


Proof (Proof of Lemma^. We start by the remark that there exists a vector ag G F” such that 

'^pub = '^pub(A)"''+ < ag > . 

Now, after shortening at Ii, there exists ai G Fg such that 


'Sii { %ib) = 'Sii 


+ < ai > 


and finally there exists a vector a in Fg * such that 


Moreover, we have, 


Vj, fc(A) + < a > . 


(27) 




’pub 


= Vj,[Sx,[^,UX){T'^+ R^ 

= Vj, (Sx, fec(A)T^ 


^ 'dj2 (‘ 5 xi {S ')), 

Codim 1 


(28) 


where we remind that ^ is defined in Notation [2l From the definition of S> we know that 

n > 

deg P < n — k 

Observe that for a position i G 77i, we have 


vi=i 


'^yjTijP{xj) = yji^X)Tij(i)Pixji^i)). 

i=i 


(29) 
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Such a coordinate vanishes if and only if P{X) is divisible by {X — which implies that 


Si, {^)=\ I ^yjTij (xj - Xj^i))P{xj) 
J=1 l&Xi 


i^Il 


deg P<n — k — s>. 


From this and using (29) again, we obtain 


So^^^PjASxA^)) = < 


)) 

deg P < n — k — s 


\ l€Ii 




This is clearly a GRS code of degree n — k — s. Set 


^ = Pj,{Si,[%,,^iX)^)). 


(30) 


Then, S’ is indeed a subcode of the GRS code So of codimension 1 and the lemma follows by com¬ 
bining this equation with (27) and (28) and using that the left-hand term in (28) has codimension 
1 in the right hand one. 


B Proof of Proposition 

To prove this result we will need a few additional results involving general inequalities concerning 
the dimension of the square code. 

Lemma 6. For all linear codes si ^ G F” and all subsets X of code positions, we have 


dim {si + ^ dim si‘^ + dim -|- dim ( 

dim^^ ^ dim Pi (‘^)^ -|- |X|. 


(31) 

(32) 


Proof. By definition of the square codes, one proves that {s/ + =^)^ = s/‘^ + + si -k This 

leads to (IMl). Let si{X) be the code of dimension |X| and length n composed by all words of F” 
supportedBy X and Ext(Pi (‘^)) be the code Vx (^) extended by zero to get a code of length n. 
We have: 

^ C Ext(Pi ('T)) © .f/(X), 


then, thanks to (31) and since Ext(Pi {to)) -k si{X) = {0} and dimi/(X)^ = |X|, we get (32). 


Proof (Proof of Proposition^. We start by using Lemmawith X = Xi. We get that there exist 
vectors a,u,v in ¥q such that 


'Pj2 (Sx, ^ 


< a >, 


(33) 
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where S is some subcode of GRS„_fc_|Xj| (it, u) of codimension 1 (see (30)). From (31) with 
a > and = S and Proposition we deduce that 


dim [Vj^ ^ 1 + dim (S’f + dim (f (34) 

^ 1 + dim (GRS„_fc_|x^| (u,v))^ + (n - k - \Ii\ - 1) (35) 

^ 1 + 2(n — /c — |Xi|) — 1 + (n — fc — |Xi| — 1) (36) 

= 3(n-/c)-3|Xi| - 1. (37) 


We finish by using (32) and obtain that 

(si. (*ph))' 


dim 


^ dim 


im {Pj2 (‘5xi 




pub 


+ l■^2| 


^3{n-k)-3\Ii\-l + \J 2 \. 


C Explanations for the npper bonnd ( |II] ) in the case where I contains 
positions of degree 2 


C.l 


A general upper-bound on the dimension of 



2 


It will be useful to have a slight variant of Proposition which holds for any subset X of code 
positions and which is given by 


Proposition 6. Let X h a set of code positions. Let ='^ Sx Ext(‘^) he the code 

obtained from by extending by zero at positions which were shortened. //Ext('^) ^ {^secW “*■) 

and T is invertible, we have 


dim (Sx 


2 


^ dim"^^ + dim"^. 


(38) 


Proof. Recall that, from Lemma we have 

<ub = '^sic(r^ + ^'^) 

and that = A^/i. Two cases have to be considered now. 

Case 1: A G ^sec- This implies that C< A >■'■ and therefore we have that 

h) 

^sec 

In such a case we have Sx ~ ^ upper-bound follows immediately. 

Case 2: A ^ ^sec- la this case there exists a G F” such that 

"^sec ® > +'^sec(A)"*'. 


22 





From this we deduce 


^pub — (^< CL > +'iCec('^)"''^ 

= <b> +Kec(A)^T^, 


where b = a{T'^ + fi). This implies that there exists c G Fg such that 

Sx (<ub) c< c> +5x ('ifsec(A)^T^) . 

Then, we use the upper bound (31) of Lemma 0 with £/ =< c > and = Sx {^sec{X)^T'^) and 
obtain ^ 

dim5x ^ 1 + dim^^ + dim^. 

We finish the proof by noticing that 

(5x(Kec(A)^T'^))' 

c (Sx 






Moreover, dim,^ ^ dim'^ — 1 when A ^ ‘^sec- Indeed, since T is assumed to be invertible and, 
by assumption, A ^ ^sec, the code ^sec(A)'''T^ has codimension 1 in . Second, notice that 

the code extended by zero equals '^seciX)'^T'^ n Ext('^). Next, since by assumption Ext('^) ^ 
‘^sec(A)'''T^, we get that ‘iCec(A)'''T'^ n Ext('^) has codimension 1 in n Ext(^) = Ext(^). 

Therefore dim=^ = dim^ — 1. 


C.2 The graph associated to a sparsely mixed GRS code 

Proposition raises the issue of understanding the structure of shortenings of codes of the form 
Sx (^T^)|^ where ^ is a GRS code, T is a sparse square matrix and X is a subset of code positions 
of ‘ta. We denote codes of this kind shortened sparsely mixed GRS codes. We will represent them by 
their defining triple (‘^, T,X). A colored graph associated to the pair (T,X) will be very useful for 
studying such codes. It is defined as follows. 

Definition 4 (graph associated to a shortened sparsely mixed GRS code ('^, T,X)). 
The graph associated to the shortened sparsely mixed GRS code is the bipartite graph 

G{U U V, E) given by 

— set of vertices U GV, with a bijection from U to the set of columns of T and where V is in 
bijection with the rows ofT. 

— edge set E where uv is an edge of E if and only T^u 7 ^ 0. 

All the vertices are colored in black with the exception of the vertices of V which belong to X, in 
such a case they are colored in red and the vertices of V which are of degree 1 but which do not 
belong to X are colored in blue. 

® To keep the connection with the BBCRS scheme and the meaning of T in the BBCRS scheme we keep the transpose 
throughout the paper. 
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Remark 11. Notice that for the graph associated to the triple ,X) (where X is arbitrary) 

corresponding to a BBCRS scheme, the positions of degree 2 in the BBCRS scheme correspond 
precisely to the vertices of V of degree 2 whereas the positions of degree 1 in the BBCRS scheme 
correspond to the vertices of V of degree 1. 

This graph (without the coloring) is a way of representing a code of the form GRS„_fc {x,y) 
Consider a codeword (ci,..., Cn) of such a code. Clearly there exists a polynomial in Fg[X] of degree 
< n — k such that for any u G {1,..., re} we have 

Cv — ^ ^ yuvP{.Xu) 

U'^V 


where yuv = yuTvu and the sum is taken over all vertices u of U that are adjacent to v. To 
understand the effect of shortening the code in a set of positions, consider a codeword {cv)y^v\x of 
the shortened code. The coordinates of such a codeword are given by the same formula as before, 
i.e. Cy = Ylur^^v yuvP{xu) wlth P a polynomial of degree < n — k, but now this polynomial should 
satisfy all the equations 

^ ^ yuvP{,Xu) — 0 

for all the i’s that belong to X (and which are therefore colored in red). 

From now on and for the rest of the section we will assume that 

Assumption 3. The set of positions of degree 1 of the sparsely mixed GRS code GRSn,_fc {x,y) 
contains an information set of the eode and there are no positions of degree > 2. 

The effect of shortening on the dimension of dim*^^ when ‘^ = Sx (GRS,i_fc {x,y)T'^) is better 
understood when we study first some extremal cases 


1. X contains only positions of degree 1; 

2. X is reduced to a single degree 2 position. 


Note: Recall that Ji, denote respectively the sets of degree 1 and 2 positions associated to the 
sparsely mixed code GRS„_fc {x, y) and denotes the shortened code Sx (GRS„_fc {x, y) T^). 


Shortening with respeet to positions of degree 1. 
Lemmawith X = i.e. we expect that 


In such a case, by using Inequality (32) from 


P\J2\. 


The point with this puncturing is that ('^) = (5x (GRS^-fc (a?, y))) is a GRS code of 

dimension n—k—\X\ and we can apply Propositionj^to obtain that dim'Pj 2 ('^)^ = 2(re—A: —|X|) — 1. 
This yields the upper-bound 


dim^2^2(re-fe)-l-2|X| + |J 2 | (39) 

It turns out that this upper-bound is typically met. 
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Shortening with respect to a single position i of degree 2: X = {i}. We would typically expect that 
in such a case to have 

dim^^ ^ 2(n — k) — 2 + \J2\ 

since \J 2 \ drops by 1 . 

It turns out that a stronger inequality holds in this case, the point being that shortening in a degree 
2 position i yields codewords of the form yuvP{xu))v^i where P is a polynomial of degree 

< n — k which is such that yj^iP{xj^) + yj 2 iP{xj^) = 0 where the two vertices of U adjacent to i 
are ji and respectively. In such a case it turns out that 

Proposition 7. Assume that k is an integer in the range —4], Let a,b,X be three elements 

in Fq with a ^ b, X ^ 0 and let ^ be the subcode of GRSn-k {x, y) given by 

^ {{yiP{xi))i^i^n\ degP <n- k,P{a) = XP{b)} 

Then is a subcode of codimension I of the GRS code GRS 2 (n-fc)-i given by 

degP < 2(n - k) - l,P{a) = A^P( 6 )} 

Proof. is generated by codewords of the form {yf P{xi)Q{xi))i!^i<^n with 

deg P < n — k 
deg Q < n — k 
P{a) = XP{b) 

Qia) = XQ{b). 

In other words, we proved that 

C degP < 2(n - k) - l,P{a) = A^P( 6 )} 

and to conclude the proof, we only need to prove that dim^^ 2{n — k) — 2. 

Let pQ C ^ be defined as 

=^0 {{yiP{xi))i^i^n\ degP < n — k, P{a) = P{b) = O} . 

and let P, Qa, Qb be 3 polynomials of degree < n — k such that P{a) = XP{b) / 0 , Qa vanishes with 
multiplicity 2 at a and I at 6 and Qb vanishes with multiplicity 1 at a and 2 at b. The existence of 
such nonzero polynomials is guaranteed since we assumed A: to be ^ n — 4 and hence n — k ^ A. 
For the very same reason, Pq is nonzero. The code Pq is a GRS code whose square is the subcode 
of GRS 2 (n-fc)-i y) of codimension 4 corresponding to polynomials vanishing at a and b with 
multiplicity 2 at both points. Thus, dim^Q = 2(n — k) — 5. Next, one sees easily that 

Po® < PQa > © < PQb > © < >c p^, 

and hence P'^ has dimension at least 2(n — k) — 2. This concludes the proof. 
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By applying this proposition to 'Pj 2 \{*} (^)> easily obtain the stronger ineqnality 


dim'^^ ^ 2(n — A;) — 3 + \ J 2\1 


which is nothing but (39) with \X\ = 1. 


Generalizing this idea to general subsets I of code positions we expect that (39) holds in all cases. 
However it turns out that we have in general a stronger inequality. This is due to the fact that 
shortening has sometimes long range effects. This is a point that we study in more detail in the 
following subsection. 


C.3 Shortening induces merging and pruning of the graph. 

We first start with a few examples which will help to understand the underlying phenomena. 

Example 1. Let us shorten in a single position, i.e. X = {n} with v of degree 1 adjacent to 
u and we assume that there exists v' of degree 2 adjacent to u and u' (see Figure [^. When 


Fig. 1. A first example 
u u’ 



V v’ 


we shorten GRS,i_fc (a;, y) in v this means that we consider only codewords of the form 

where degP < n — k and P{xu) = 0. Notice now that because of this, 
the code position v' simplifies from yuv’P{xu) + Vu'v'P{xu') to yu'v'P{xu’)- In this sense, the short¬ 
ened sparsely mixed GRS code 5|^} (GRS„_fc (a;, y) T^) corresponds to a subcode of the sparsely 
mixed GRS code associated to a simplified graph. It is obtained from the graph associated to 
the shortened sparsely mixed code by removing u and v and the incident edges. Moreover its 
codewords iYlw^w correspond to polynomials satisfying an additional condition, 

namely P{xu) = 0. 


Fig. 2. The simplified graph corresponding to the first example 


u 




+ P(xj=0 


V 
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In the new code, a degree 2 vertex disappeared and we therefore expect that the dimension of the 
square of the shortened sparsely mixed code is equal to 

dim (5{,} (GRS„_fc (x, y) T^)f = (5{,} (GRS„_fc {x, y) T^))' + \J 2 \ 

= 2{n-k)-l-2 + \J 2 \-l = 2{n-k)-A+\J2\. 

In other words, we have to take into account that the effect of shortening may have deeper effects 
than just the sum of the effects of the shortening of degree 1 positions and degree 2 positions 
which decreases the dimension by a term which is \X\. As shown by this example, shortening might 
remove some other degree 2 positions which were not shortened and which could be transformed 
into a degree 1 position as is apparent from this example. We therefore expect that the effect of 
shortening in a set X leads to a dimension for which is of the form 

dim'T = 2(n - A;) - 1 - \X\ + \Ji\ 

where is the set of code positions of degree 2 which remain after we take into account the effect 
of the shortening. Next, it turns out that we have to take into account a slightly more complicated 
phenomenon coming from the effect of the shortening of degree 2 positions. This is illustrated by 
the next example. 

Example 2. Let us consider now an example where we shorten in two positions v and v' whose 
neighborhood is specified by Figure 


Fig. 3. A second example 
u u’ u" 



V v" v’ 


A codeword of the shortened code (GRSn-fc (a, y) T'^) is of the form yuwPixw))w&v\{v,v'} 

where P should satisfy at the same time 

deg P < n — k 
VuvPiXij^ T Pu'vPi^Xu'') b 

Vu'v' P{,Xii'^ + yu”v' Pixu”) — 0 . 


Because of these relations, the codeword position Cy” which has not been shortened is of the form 

Cy” = yuv’'P{xu) + yu”v”P{xu”) = aP{xu) 

for some a that depends on the yuv^- In other words, the codeword position u” becomes a position 
of degree 1 after shortening and it makes sense to merge the nodes tt, u' and tt” to represent the 
fact that we have linear relations between P{xu), P{xu') and P{xu”), see Figure]^ 
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Fig. 4. The second example revisited 
u u’ u" u,ii\u'' 



V v" V ’ 




I 


The effect on the dimension can 
that we should have 


be understood by using Inequality (32) of Lemma and 


we see 


dim (5{^y} (GRS„_fc {x,y)T^))‘^ ^ dim (GRSn-fc (a;, y) + IJ 2 \ {u,u',u”}| 

^ 2(n - A;) - 1 - 2 + IJ 2 I - 3 = 2(n - fc) - 6 + IJ 2 I, 

where J 2 is the set of degree 2 positions of the sparsely mixed code GRS,i_fc {x,y)T'^. The —2 
which follows the term 2{n — k) — 1 is due to the fact that the code „/t, (GRS„_fc {x, y) T^) 

is a code which satisfies 


^ < n-k,P{xu) = aP{xu') = /3P{xu”)} 

where u{w) is the unique vertex of U adjacent to w, a and /? are nonzero elements of Fg. A 
generalization of Proposition leads immediately to 

dim ^ 2(n — A:) — 1 — 2. 


In other words, we can quantify the effect of the shortening of degree 2 positions by merging the 
vertices of U which are linked to a same vertex of V which is shortened. If we obtain a vertex 
which corresponds to the merging of d vertices then this induces a drop in dimension of d — 1 (this 
corresponds to a generalization of Proposition]^. 

All these considerations lead to introduce the following algorithm that formalizes these considera¬ 
tions. 


Algorithm for reducing the graph after shortening. 

{Merge phase} 

for all red nodes v of degree 2 do 

Remove v and the two edges uiv and U 2 V incident to it. 

Merge ui and U 2 - 

end for 

{Pruning phase} 

while there is a red node u in P of degree 1 adjacent to a black node u in U do 
Remove v. 

if there exists a black node v' adjacent to u which is of degree 1 then 
Remove v' and its incident edge. 

end if 

Remove u and all the edges adjacent to u. 

end while 


With the help of this algorit’ 
of and, from Proposition 


im we can bring in the crucial quantities which govern the dimension 

" 2 


also 


(Sx(«ph))' 
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— the set Ai of merged nodes in the graph which did not disappear during the pruning process. 

— the degree d(x) of such a merged node x is defined as the number of vertices of U that have 
been merged together to yield this node x. 

— the remaining set of degree 2 nodes of V after merging and pruning. 

— the set Xi of degree 1 nodes of V in the original graph that have disappeared during the process. 


The dimension of dim^^ is typically given by 

dim -^2 = 2(n - A:) - 1 - 2|Xi| + U 2 I - (d(x) - 1) 


xeM 


and from Proposition(whose upper-bound is actually generally met) the dimension of dim ) 

is typically given by 


dim (Sj 


’pub 


3(n-k)-l- 2|Xi| + 1 ^ 2 '! - |2:| - E (‘iw -1). 

xeM 


(40) 


C.4 An example 

We give in Figure an example of a graph associated to a shortened sparsely mixed GRS code of 
length 10 where we shortened 4 positions. After the merging step, the graph is transformed into 


Fig. 5. An example of a graph associated to a shortened sparsely mixed GRS code 

123456789 10 



the graph given in Figure 

After the pruning step the graph further simplifies and becomes the graph given in Figure 
In this case 

— is a set of two merged nodes : {3, 9} and {5,10}; 

— the degree of both of these merged nodes is equal to 2; 

— there remains no node of degree 2 in P after merging and pruning : = 0. 

— two vertices of V of degree 1 have disappeared during the process |Xi| = 2. 

If we assume that the dimension of the underlying GRS code was 6 at the beginning we therefore 
expect a dimension of dim ^Sx ^ of 

dim [Sx (%ib))^ = 3x6-l-2x2 + 0- 4- 2 = 7 
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Fig. 7. The graph obtained after the merging and the pruning step (here red vertices and edges do not belong to the 
graph, they are just here to indicate which edges and nodes have been removed). 



C.5 The relationship between dim ^<Sx dim 


A quick inspection of the reasoning underlying Formula (40) for dim shows that 

we expect that 


dim [ViiSxi'^r 


’pub 


dim (Vi(Si{^^ 


^pub 


2,{n-k)-l- 2|Xi| + \Ji\ - |X| - ^ {d{x) - 1) if i ^ Ji 

xeM 

3(n-k)-l- 2|Xi| + Us'l - 1 - |X| - ^ (d(x) - 1) if z G 


xeM 


In other words we expect that 


dim 1 

(^‘S’x 1 


^ — dim 

(n 

(^^x 1 

to 

II 

0 

if i i J2 

dim 1 

(^‘S’x 1 

(<ub) 

^ — dim 

(p. 

{Sx 1 

(<ub)))' = l 

if i G J2 


The positions of degree 2 that we detect by computing dim ^5x —dim ^5x 

are therefore the elements of J 2 , that is the vertices which remain of degree 2 after merging and 


pruning the graph. 
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Algorithm 1 Algorithm for detecting the positions of degree 2 

Function IsADegree2Position(^, i, Smax) 

requires: 

— a code ^ which is of the same form as of the BBCRS scheme; 

— i a, code position of 

— a maximal number Smax of tests. 


Output: yes (if i has degree 2)/probably not (if we think that i has degree 1). 


for S = 1 to Smax do 

X ■<— Random subset of {1,..., n} \ {*} which satisfies (12 I 
{V) 


if Dimension(^^) 7 ^ Dimens ion ("Pi (^^)) then 
return yes 
end if 
end for 

return probably not 


D Proof of Proposition 


We first notice that 


= ^^^{T^D{a,ii,i2) + D{a,ii,i2)) 

Note that R^D{a,ii,i 2 ) and its transpose are both of rank at most one since R is of rank ^ 1. 
Let 

D{a,h,i2) 

Denote the entry in row i and column j of T, T^, and D{a^ ^ 1 ,^ 2 ) by Tij,T^j, Sfj, and D{a, ii,i 2 )ij 
respectively. From the very definition of D{a,ii,i 2 ), S'^ and coincide in all entries with the 
exception of the entry in row ji and column ^2 where we have 




n 


= TU + 

J'T rp 

_rpT _ »2J1 

^jli2 rp 

-'nil 

'Y'T n^T 

_ rpT _ jlh jli2 


T^. 

jm 


= 0 


E Algorithms of the Attack 
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Algorithm 2 Algorithm to compute quickly the sets J\ and J 2 of positions of degree 1 and 2 

Function Degree 2 cindPositions(^, Smax) 

requires: 

— a code which is of the same form as of the BBCRS scheme; 

— a maximal number Smax of tests. 


Output: The set J 2 of positions of degree 2. 

for S = 1 to Smax do 

X ■<— Random subset of {1, ..., n} which satisfies ( 12 1 


Si (^) 

for i £ J\\X do 

if Dimension(^^) 7^ Dimension(Pi (^^)) then 

{*} 

t/b ^2 U {i} 

end if 
end for 
end for 
return Ji , J2 


Algorithm 3 Algorithm to compute the set of positions of degree 2 which are associated to a given 
position ii of degree 1. That is positions t 2 such that j{ii) G j(* 2 ) 

Function AssociatedDegree 2 Positions(^, ii, ^1, ^2) 
requires: 

— a code ^ which is of the same form as ^p'ub of the BBCRS scheme; 

— The sets Xi, J 2 of positions of respective degrees 1 and 2; 

— A position i\ £ J\\ 

— a maximal number Smax of tests. 

Output: The set of positions of degree 2 associated to ii. 

t— iSij 

Ji,j2 ■£- Degreeland 2 Positions('^i^, Smax) 
return J2 \ J’ 


Algorithm 4 Algorithm to transform a degree 2 position in a degree 1 one 

Function EliminateDegree 2 Position(‘^, ii, 12, Smax) 
requires: 

— A code ^ which is of the same form as of the BBCRS scheme; 

— A position 12 G J 2 ; 

— A position ii £ J\ associated to 12 ; 

— A maximal number of tests Smax 

Output: A pair (^',a), where = VD{a,ii,i 2 ) and D{a,ii,i 2 ) is defined in Proposition]^ 
for a € Fq do 

V £- ^D{a,ii,i2) 

if IsADegree 2 Position('^', 12, Smax) = false then 
return 
end if 
end for 

return “ERROR, ii is not associated to 12” 
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Algorithm 5 Complete algorithm for the attack 

Function CompleteAttack(^) 

requires: 

— A code ^ which is of the same form as of the BBCRS scheme. That is, ^ = GRS„_fe (x, y) (T + R)^ for 
some sparse matrix T and some rank one matrix R. The set of degree 1 positions of ^ contains an information 
set. 

— A maximal number of tests Smax 

Output: A tuple {T, R,u,v,I) such that Vxi^) = GRS„_fc (u, u) (T + R)^ and with T as large as possi¬ 
ble. 

JxiJi ^ Degreeland2Positions(^, Smax) 

T ^ J {/ is the n X n identity matrix.} 
while 7 ^ 0 and t7i yf 0 do do 
ii Random (j7i) 

J' AssociatedDegree2Positions(^^, ii, ,l7i, vA) 
for 12 € J' do do 

,a EliminateDegree2Position('^^, ii, 12 ) 

■<— {We replaced by ^'D(a,ii, 12 ), where D{a,ii,i 2 ) is defined in Proposition]^ 

T D{a,ii,i 2 )~^T {We preserve the loop invariant V' = ^T} 

J 2 J 2 \ {* 2 } 

e7i f7i \ {*i} 

i7i f7i U { 12 } 

end for 
end while 

^ Vj, (^') _ 

T ^ Puncture(T, J 2 ) {We drop the columns and the rows of T that belong to ,72.} 

{At this point, there exist u, v, II, R with R of rank one, JT being a permutation matrix such that "Pij (^) = 
cms„-kiu,v)(n+ Rff.} _ 

{n,R, u,v) <r- Attack}^') {Here the algorithm of [111 §4] is used and give a possible 11,R, u and v that satisfy 
= GRS„^ (n, v) {n + Rf. } 

return (T II, T R,u,v,J’ 2 ) 
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